Finding Grafana instances

, by Pearce Barry

A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential information or credentials. Tracked as CVE-2021-43798 with a “high” CVSS score of 7.5, this path traversal vulnerability resides in the installed plugins path logic for a Grafana instance (e.g., <grafana_host_url>/public/plugins/<plugin-id>). Because Grafana installs with plugins by default, Grafana versions v8.0.0-beta1 through v8.3.0 are all vulnerable (Grafana Cloud is reportedly not vulnerable).

This vulnerability was originally disclosed to Grafana on December 3rd (prior to its leak as an 0-day). Grafana made patched versions available the day of the leak and advised anyone running a vulnerable version to update to a patched version as soon as possible. If upgrading isn’t an option, Grafana provides mitigation strategy as well.

As a part of good cybersecurity hygiene, you should shut down public access to Grafana servers (unless it is necessary).

How to find Grafana instances

From the Asset Inventory, use the following pre-built query to locate potentially vulnerable Grafana instances within your network:

product:grafana
Find Grafana instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try Rumble

Don’t have Rumble and need help finding your Grafana instances? Start your Rumble trial today.

Similar Content

January 14, 2022

Ringing in 2022 with vulns, more vulns, and CISA guidance

Wrapping up 2021 and kicking off 2022, there were no shortages of vulnerabilities, vendor security advisories, patches, and active exploitations. Oh, did we mention, even more vulnerabilities and more patches? To ring in 2022 accordingly, let’s discuss some recent …

Read More

December 10, 2021

Finding applications that use Log4J

Last updated on January 17, 2021 at 16:00 CST (-0600) Rumble can help you build an up-to-date asset inventory and search for assets that may be affected by the recent spate of Log4J vulnerabilities (e.g. Log4shell, etc.). You can then share the results with your security …

Read More

December 3, 2021

Finding HP printers and MFPs vulnerable to Printing Shellz

Do you have HP printers and multi-function printers (MFPs)? You might want to look at the two recently published vulnerabilities that affect 150+ models. Named “Printing Shellz” by the F-Secure security researchers who reported them, these vulns have been around for ~8 …

Read More